AntFlow is a production-grade AI agent platform forked from DeerFlow and deeply enhanced with core architectural patterns from Claude Code — Anthropic's Agent Operating System.
Why the name? "Ant" nods to Anthropic, whose Claude Code source code inspired the architectural overhaul. "Flow" inherits from DeerFlow's workflow orchestration DNA.
| Enhancement | From Claude Code | What It Does |
|---|---|---|
| Permission System | 5-level layered model | Every tool call checked against READ_ONLY → ALLOW policy |
| Hook Governance | PreToolUse / PostToolUse | Audit, block, or modify any tool call via shell scripts or Python |
| Execution Pipeline | toolExecution.ts | Structured 5-stage pipeline: Permission → PreHook → Execute → PostHook → Merge |
| Prompt Assembly | getSystemPrompt() | Modular builder with static/dynamic cache boundary, ~88% cache hit |
| Context Compaction | compact.rs | Zero-LLM-cost deterministic compression for long conversations |
| Plugin System | plugin.json manifests | Declarative plugins contributing tools, hooks, and permissions |
| Specialized Agents | Built-in agents | Explore (read-only), Plan (strategy), Verification (adversarial) |
| Prompt Best Practices | Prompt sections | Git safety, linter feedback, code citing, code change rules |
This is not a thin wrapper or prompt tweak. We studied Claude Code's source code in depth and ported its key engineering systems into the DeerFlow harness. Here is what was added:
Borrowed from Claude Code's layered permission model. Every tool call now passes through a policy engine before execution.
| Level | Description |
|---|---|
READ_ONLY |
Only read operations allowed |
WORKSPACE_WRITE |
Read + file write within workspace |
DANGER_FULL_ACCESS |
Unrestricted (bash, system commands) |
PROMPT |
High-risk tools require interactive user approval |
ALLOW |
All tools permitted (default, backward-compatible) |
Configure in config.yaml:
permissions:
enabled: true
mode: "allow" # or "workspace_write", "read_only", "prompt"
tool_overrides:
bash: "danger_full_access"
write_file: "workspace_write"Inspired by Claude Code's PreToolUse / PostToolUse hook protocol. Programmable interception points before and after every tool call.
- External hooks: Shell scripts following Claude Code's stdin/exit-code protocol (
exit 0= allow,exit 2= deny) - Python hooks: Callable functions resolved at runtime
- Use cases: Audit logging, sensitive path blocking, input sanitization, compliance enforcement
hooks:
enabled: true
pre_tool_use:
- command: "bash scripts/hooks/audit_hook.sh"
- command: "python scripts/check_sensitive_paths.py"
tools: ["bash", "write_file"]
post_tool_use:
- command: "bash scripts/hooks/audit_hook.sh"Claude Code doesn't call tools directly — it runs them through a structured 5-stage pipeline. We ported this:
Permission Check → Pre-Hook → Execute Tool → Post-Hook → Merge Feedback
Every tool call follows this path. No exceptions, no shortcuts.
Ported from Claude Code's getSystemPrompt() architecture. The system prompt is no longer a static template — it's a runtime-assembled composition of independent sections:
- Static prefix (cacheable): Identity, tool usage rules, git safety protocol, linter feedback guidelines, code citing rules
- Dynamic suffix (per-session): Environment info, active skills, working directory, subagent config
A SYSTEM_PROMPT_DYNAMIC_BOUNDARY marker enables API-level prompt caching, reducing token costs by ~88%.
Claude Code's compact.rs reimplemented in Python. When conversations grow long, this engine deterministically compresses history without calling an LLM:
- Zero cost: No API calls, no token spend — pure local extraction
- Structured summaries:
[User requests],[Tools used],[Key paths],[Timeline] - Re-compaction: Already-compacted conversations can be compacted again (merge, not overwrite)
- Precise token tracking: Supports both estimation (4 chars ≈ 1 token) and API-reported exact counts
This coexists with the original LangChain SummarizationMiddleware — compaction serves as a higher-threshold fallback.
Mirrors Claude Code's plugin architecture. Plugins contribute tools, hooks, and runtime constraints via plugin.json manifests:
{
"name": "amazon-sp-api",
"version": "1.0.0",
"tools": [
{ "name": "search_products", "module": "plugins.amazon.tools", "callable": "search" }
],
"permissions": { "search_products": "read_only" },
"hooks": {
"pre_tool_use": [{ "use": "plugins.amazon.audit:log_api_call" }]
}
}Borrowed from Claude Code's built-in agent specialization (Explore, Plan, Verification). Instead of one generic worker, tasks are delegated to purpose-built sub-agents:
| Agent | Role | Constraints |
|---|---|---|
| Explore | Read-only code/data exploration | Cannot modify any files |
| Plan | Strategic planning and architecture | Read-only, structured output |
| Verification | Adversarial validation of results | Mandatory checks before delivery |
Integrated Claude Code's proven prompt sections as reusable modules:
- Git Safety Protocol — Prevents destructive git operations (
push --force,hard reset, etc.) - Linter Feedback — Guides the agent to check and fix linter errors after code edits
- Code Citing — Standardized format for referencing existing code vs. proposing new code
- Making Code Changes — Rules for reading before editing, preferring edits over new files
┌─────────────────────────────────────────────────────┐
│ AntFlow Agent │
│ │
│ ┌─────────────────────────────────────────────────┐ │
│ │ SystemPromptBuilder │ │
│ │ [Static: Identity + Rules + Safety] │ │
│ │ ─── CACHE BOUNDARY ─── │ │
│ │ [Dynamic: Env + Skills + Session] │ │
│ └─────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────── Middleware Chain ────────────────┐ │
│ │ Permission → Hook → Summarization → Compaction │ │
│ │ → Todo → TokenUsage → Title → Memory → Loop │ │
│ │ → Clarification │ │
│ └─────────────────────────────────────────────────┘ │
│ │
│ ┌─────────── Tool Execution Pipeline ────────────┐ │
│ │ PermCheck → PreHook → Execute → PostHook → Merge│ │
│ └─────────────────────────────────────────────────┘ │
│ │
│ ┌──────────── Specialized SubAgents ─────────────┐ │
│ │ Explore (RO) │ Plan (RO) │ Verification (RO) │ │
│ └─────────────────────────────────────────────────┘ │
│ │
│ ┌──────────── Plugin System ─────────────────────┐ │
│ │ plugin.json → Tools + Hooks + Permissions │ │
│ └─────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────┘
- Python 3.12+
- Node.js 22+
- uv (Python package manager)
- pnpm (Node.js package manager)
git clone https://github.com/fang503/antflow.git
cd antflow
make config # Generate config.yaml from template
make install # Install all dependencies
make dev # Start development serverOpen http://localhost:2026 in your browser.
Edit config.yaml to:
- Configure your LLM model (Claude, GPT, Gemini, DeepSeek, etc.)
- Enable/disable governance features (permissions, hooks, compaction)
- Add plugin directories
- Adjust token budgets and compaction thresholds
AntFlow inherits all of DeerFlow 2.0's capabilities:
- Sub-Agent Orchestration — Flash / Thinking / Pro / Ultra modes
- Sandbox Execution — Docker-based isolated environments
- Long-Term Memory — Persistent agent memory across sessions
- MCP Integration — Model Context Protocol for external tool servers
- ACP Integration — Agent Communication Protocol for agent-to-agent calls
- Skill System — Extensible workflow packages
- Multi-Model Support — Claude, GPT, Gemini, DeepSeek, Kimi, and more
- Web UI — Next.js frontend with real-time streaming
- DeerFlow by ByteDance — The foundation this project is built upon
- Claude Code by Anthropic — The Agent OS architecture that inspired the renovation
- LangChain / LangGraph — Agent framework and orchestration